Security noticeboard

Reporting Phishing to Xero

If you suspect you’ve received a phishing or malicious email, which says it’s from Xero or uses Xero’s logo, and it’s not already reported below on the Security Noticeboard – please report it by forwarding the email to phishing@xero.com.

A genuine Xero email will always come from a xero.com domain or sub-domain address, e.g. @xero.com, @post.xero.com, @send.xero.com, @sendnz.xero.com, @support.xero.com. So if it’s not from a xero.com address, be suspicious. But please also be aware that some phishing emails attempt to spoof (impersonate) our sending addresses, so they appear to come from a xero.com address but are actually sent from a different domain.

Do not click on any links or attachments in suspicious emails. You can find out more about how to identify phishing and other malicious emails, and how to stay safe online, on our Security page.

Notices

Aug 14th, 2018 – Fake Email confirmation email

We’ve received reports of people receiving fake email confirmation emails.

The email has a subject of ‘Confirm your email address’ and is sent from the following email address:

support@ralphstarck.com

Please be aware that the email address listed above is not a sending address nor adomain used by Xero, and these emails were not sent by us.

Here is an example of an email we’ve received:

If you have received this email, you should report it as phishing and delete it. Do not click on the “Yes, it’s me – let’s get started” link. The link in this phishing email will redirect you to a malicious website with the intent of stealing your Xero username and password.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SA here.

You can find more information on how to protect yourself from email phishing attacks here.

We’ve had further reports of people receiving fake GDPR confirmation emails.

The email has a subject of ‘Confirm your email address due to new GDPR regulation’ and is sent from one of the following email addresses:

support+xero@regattas.eu

support+xero@bookfast.me

support+2oth3geho4e7orOxapReYANu1agiYlNl@babyshowerdeals.com

Please be aware that the email addresses listed above are not sending addresses nor domains used by Xero, and these emails were not sent by us.

Here is an example of an email we’ve received:

If you have received this email, you should report it as phishing and delete it. Do not click on the “Yes,it’s me – let’s get started” link or contact support@xeró.com – this email address is not associated with Xero (note the ó in xeró.com instead of o) . The link in this phishing email will redirect you to a malicious website with the intent of stealing your Xero username and password.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SAhere.

You can find more information on how to protect yourself from email phishing attackshere.
_________________________________________________________________________________________________________________________________________________________

Aug 8th, 2018 – Fake invoice phishing variant

We’ve had reports today of people receiving a new version of the fake invoice reminder phishing email, similar to our post in July.

The subject used this time is ‘Invoice INV-10299 from XXXXXXX’ and is being sent from a wide range of individual and business email addresses.

The invoice amount and business names may vary in an attempt to make the invoice more convincing. Some of the business names used may be legitimate businesses.

Please be aware that these are not sending addresses nor domains used by Xero, and these emails were not sent by us.

Here is an example of an email we’ve received:

If you have received this email, you should report it as phishing and delete it. Do not click on the “View invoice” link. The link in this phishing email will redirect you to a malicious website.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SAhere.

You can find more information on how to protect yourself from email phishing attackshere.

We’ve had reports of people receiving another version of a fake invoice reminder email.

The sending address used is ‘fuhrmann@fuhrmann.co.nz’ with a subject of ‘Your invoice XXXXX available now.’ and an invoice amount of $373.75. Please note that the invoice number may be different from the example provided.

Please be aware that this email address is not a sending address used by Xero nor was it sent by Fuhrmann NZ or NJW Limited. The criminal sending the email has exploited the name legitimate businesses to try to make their email more convincing.

Here is an example of the email:

If you have received this email, you should report it as phishing and delete it. Do not click on the link to view your bill. The link in this phishing email will redirect you to a malicious website and prompt you to download a malicious file.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SAhere.

You can find more information on how to protect yourself from email phishing attackshere.

We’ve been made aware of a website which is offering monetary payments in exchange for old Xero Subscription invoices –http://data-bees.com

Please be advised that Xero is not affiliated with this organisation and we don’t believe they’re compliant with GDPR. As such, we strongly advise Xero Subscribers against providing any details or invoices.Here is a screen capture of the website:

We’ve been made aware of various websites offering Xero Customer & Technical support by phone. They’ve provided phone numbers for Xero customers to call in NZ, Australia, Canada and the UK.

Please be advised that Xero is not affiliated with these companies and the phone numbers provided on the websites below:

Here are images of the web pages:

Some customers have reported calling one of the phone numbers and allowing a support technician to connect to their computer. They were then asked for a payment before ‘fixing’ a technical issue.

As Xero does not charge for support, you should be suspicious of anyone attempting to charge you for Xero support.

We strongly advise against going to these websites or calling any of the phone numbers provided. If you have already called or granted access to your computer to these technicians, we strongly recommend that you run a full malware scan on all of your computers, then change all of your passwords after the scans have returned clean. If you’ve provided your credit card details as well, please contact your bank to see if they can recover any payments made.

The best way to contact our support team is to click the ? icon at the top right of your screen when you’re logged into Xero and then select Contact Xero Support. Alternatively, you can follow the link to Xero Central here.

We also recommend enabling Two-Step Authentication (2SA) as another layer of protection for your Xero account. You can find out more about 2SA here.

We’ve had reports of people receiving another version of a fake invoice reminder email.

The sending address used is ‘marketingaustralianhammer.com.au@mail92.atl71.mcdlv.net’ with a subject of ‘Bill 15047 from XXXX is due soon’ and an invoice amount of $1745.00.

Please be aware that this email address is not a sending address used by Xero nor was it sent by Australian Hammer Supplies. The criminal sending the email has exploited the name of this legitimate business to try to make their email more convincing.

Here is an example of the email:

If you have received this email, you should report it as phishing and delete it. Do not click on the “View invoice” link or reply to the email. The link will prompt you to download a malicious file.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SAhere.

You can find more information on how to protect yourself from email phishing attackshere.

We’ve had reports of people receiving a version of the fake invoice reminder phishing email today, similar to the notice we’d posted earlier this month.

The subject is ‘Bill 18322 from XXXX is due soon’ and appears to be sent from a wide range of individual and business email addresses.

The invoice amount and business names may vary in an attempt to make the invoice more convincing. Some of the business names used may be legitimate businesses.

Please we aware that these are not sending addresses nor domains used by Xero, and were not sent by us.

Here is an example of an email we’ve received:

If you have received this email, you should report it as phishing and delete it. Do not click on the “View invoice” link or call the phone number mentioned in the email. The link in this phishing email will redirect you to a malicious website.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SAhere.

You can find more information on how to protect yourself from email phishing attackshere.

We’ve had further reports of people receiving fake GDPR confirmation emails.

The email has a subject of ‘Confirm your email address due to new GDPR regulation’ and is sent from one of the following email addresses:

xero@careof.org

xero@ondernemersmanagerveere.nl

Please be aware that the email addresses listed above are not sending addresses nor domains used by Xero, and these emails were not sent by us.

Here is an example of an email we’ve received:

If you have received this email, you should report it as phishing and delete it. Do not click on the “Yes,it’s me – let’s get started” link or contact support@ xero.network – this email address is not associated with Xero. The link in this phishing email will redirect you to a malicious website with the intent of stealing your Xero username and password.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SA here.

You can find more information on how to protect yourself from email phishing attacks here.

We’ve had reports today of people receiving another variant of the fake invoice reminder phishing email, similar to the notice we posted earlier this week.

The subject is ‘Invoice from XXXXX’ and appears to be sent from a wide range of individual and business email addresses.

The invoice amount and business name may vary in an attempt to make the invoice more convincing. Some of the business names used may be legitimate businesses.

A genuine Xero email will always come from a xero.com domain or sub-domain address (for more information on this please see ‘Reporting Phishing to Xero’ at the top of this Noticeboard).

Here is an example of an email we’ve received:

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The link or attachment in this phishing email will redirect you to a malicious website with the intent of stealing your Xero username and password.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SA here.

You can find more information on how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email today, similar to the notice we’d posted earlier this month.

This time, the sending email address is “messaging@post.xero.com” with the subject ‘Bill 82101 from XXXXX due’.

The email claims to originate from messaging@post.xero.com but is spoofing this sending address and these emails were not sent by us.

Here is an example of an email we’ve received:

If you have received this email you should report it as phishing and delete it. Do not click on the ‘View Invoice’ link. The link in this phishing email will redirect you to malicious website masquerading as a Microsoft login page with the intention of stealing your username and password.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SA here.

You can find more information on how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email today, similar to the notice we posted in late May.

This time, the sending email address is “messaging-service_noreply_noreply@post.xero.com” with the subject ‘Invoice INV-2444007’.

The email claims to originate from messaging-service_noreply_noreply@post.xero.com but is spoofing this sending address.

Please be aware that this is not a sending address used by Xero, and these emails were not sent by us.

Here is an example of an email we’ve received:

If you have received this email you should report it as phishing and delete it. Do not click on the ‘View Invoice’ link. The link in this phishing email will redirect you to malicious website masquerading as a Microsoft login page with the intention of stealing your username and password.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SA here.

You can find more information on how to protect yourself from email phishing attacks here.

The email has a subject of ‘Confirm your email address due to new GDPR regulation’ and is sent from one of the following email addresses:

support+k5Ar2cxhzDlXBWV9alVj@mail.pdphotographers.com

support+k5Ar2cxhzDlXBWV9alVj@mail.mcmcpl.org

Please be aware that the email addresses listed above are not sending addresses nor domains used by Xero, and these emails were not sent by us.

Here is an example of an email we’ve received:

If you have received this email, you should report it as phishing and delete it. Do not click on the “Yes,it’s me – let’s get started” or the “unsubscribe” link. The link in this phishing email will redirect you to a malicious website with the intent of stealing your Xero username and password.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SAhere.

You can find more information on how to protect yourself from email phishing attackshere.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email.

The email has the subject: Invoice Payment Reminder with an invoice amount for $ 249.48.

These emails appear to be sent from a wide range of individual and business email addresses that are not sending addresses nor domains used by Xero, and were not sent by us.

A genuine Xero email will always come from a xero.com domain or sub-domain address (for more information on this please see ‘Reporting Phishing to Xero’ at the top of this Noticeboard).

Here is an example of the email reported to us:

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The link or attachment in this phishing email will redirect you to a malicious website.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as another layer of protection for your account. You can find out more about 2SA here.

You can find more information on how to protect yourself from email phishing attacks here.

We’ve had reports of a people receiving false sign up verification emails from Xero.

The sending address of the email is notification+zj462tocfyjc@toastwineclub.com with a subject of ‘Confirm your email address’.

Please be aware that notification+zj462tocfyjc@toastwineclub.com is not a sending address or domain used by Xero, and this email was not sent by us.

Here is an example of an email we’ve received:

If you have received this email, you should report it as phishing and delete it. Do not click on the “Yes,it’s me – let’s get started” link. The link in this phishing email will redirect you to a malicious website with the intent of stealing your Xero username and password.

If you’re an existing Xero user, we recommend enabling Two-Step Authentication (2SA) as an additional layer of protection for your account. You can find out more about 2SA here.

You can find more information on how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email, similar to those we reported in March this year. This time, the sending address of the email is sales@xero.com with a subject of ‘Your xero invoice available now’. The amount of the invoice in the email also varies.

The email claims to originate from sales@xero.com but is spoofing this sending address.

Here is an example of the email reported to us:

If you’ve received one of these emails you should report it as phishing and delete it. DO NOT click on any links or attachments. The link in the received email will prompt you to download a malicious file.

You can check the destination URL before you click on a link by hovering your mouse over the link (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email, similar to the notice we’d posted in late April.

The email has the subject of: Invoice INV-15620 from Xero (UK) Limited and is sent from one of the following email addresses:

messaging-service@h3-hrm.com

messaging-service@toastwineclub.com

messaging-service@iamrstudentportal.com

messaging-service@stopitkids.com

messaging-service@writingforgod.com

Please be aware the email addresses listed above are not sending addresses nor domains used by Xero, and these emails were not sent by us.

Here is an example of the emails reported to us:

If you have received this email you should report it as phishing and delete it. Do not click on the link. The invoice link in this email will ask you to login to a phishing site with your Xero credentials.

If you have clicked on the link and input your Xero username and password you should change your password immediately after running a full malware scan. We also recommend enabling Two-Step Authentication (2SA) as another layer of protection for your Xero account, you can find out more about 2SA here.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of a phishing email currently in circulation masquerading as a security notification from Xero. The sending address of the email is messaging-service@eiims.com with a subject of ‘New login from your Xero account’.

Please be aware that messaging-service@eiims.com is not a sending address used by Xero, and this email was not sent by us.The notification email also contains a randomly generated password. Xero will never generate a password and email it to you.

Here is an example of an email we’ve received:

If you have received this email you should report it as phishing and delete it. Do not click on the link. If you have clicked on the link and input your Xero username and password, or changed your password to the value shown in the email, you should change your password immediately after running a full malware scan. We also recommend enabling Two-Step Authentication (2SA) as another layer of protection for your Xero account, you can find out more about 2SA here.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email.

The sending address of the email is messaging-service@h3-infotech.com with a subject of: ‘Invoice INV-092812 from Xero (UK) Limited for ‘XXXXXXX’.

Please be aware that messaging-service@h3-infotech.com is not a sending address nor a domain used by Xero, and this email was not sent by us.

The invoice amount is for £33.00. However, the invoice number in the email body (INV-0001) doesn’t match the invoice number in the subject.

Here is an example of an email we’ve received:

If you have received this email, you should report it as phishing and delete it. Do not click on any links. The invoice link in this email will ask you to login to a phishing site with your Xero credentials. If you have clicked on the link and input your Xero username and password you should change your password immediately after running a full malware scan. We also recommend enabling Two-Step Authentication (2SA) as another layer of protection for your Xero account, you can find out more about 2SA here.

You can check the destination URL on a link by hovering your mouse over the link (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had further reports of people receiving false sign up verification emails impersonating Xero. This time the sending address of the email is support@laxmimemorial.org, with the subject of ‘Confirm your email address’.

Please be aware that support@laxmimemorial.org is not a sending address or domain used by Xero, and this email was not sent by us.

Here is an example of the email:

If you have received this email you should report it as phishing and delete it. Do not click on the “Yes,it’s me – let’s get started” link. The link in this phishing email will redirect you to malicious website with the intent of stealing your Xero username and password.

You can check the destination URL on a link by hovering your mouse over the link (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window. You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving fake invoice emails, similar to those we reported last month. The sending email addresses are:

messaging-service@subdr.net

messaging-service@subdr.org

Please be aware that these are not sending addressed used by Xero, and these emails were not sent by us.

Here is an example of the email:

We’ve seen many different company names used in the examples we’ve received. The criminals sending these emails are using the names of legitimate businesses to try and lure you into clicking on the links. The businesses named are being impersonated and have no involvement in this phishing campaign. We’ve also seen different amounts in the fake invoices so the email may not look exactly like the one above. If it comes from one of the email addresses we’ve listed, it is likely to be a phishing email.

If you’ve received one of these emails, you should report it as phishing and delete it. DO NOT click on any links or attachments. The ‘View invoice’ button in this phishing email will redirect you to a malicious website containing malware. You can check the destination URL by hovering your mouse over the link (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.For more information on how to protect yourself from email phishing attacks, please follow the link here.

We’ve had reports of a people receiving false sign up verification emails from Xero. The sending address of the email is support@idealflatmate.co.uk with a subject of ‘Confirm your email address’.

Please be aware that support@idealflatmate.co.uk is not a sending address or domain used by Xero, and this email was not sent by us.

Here is an example of the email:

If you have received this email, you should report it as phishing and delete it. Do not click on the “Yes,it’s me – let’s get started” link. The link in this phishing email will redirect you to malicious website and possibly download ransomware. You can check the destination URL on a link by hovering your mouse over the link (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of a phishing email currently in circulation masquerading as a security notification from Xero. The sending address of the email is xero@mailteamonline.com with a subject of ‘Important account notice’.

Please be aware that xero@mailteamonline.com is not a sending address used by Xero, and this email was not sent by us.

Here is an example of the phishing email:

If you have received this email you should report it as phishing and delete it. Do not click on the link. If you have clicked on the link and input your Xero username and password, you should change your password immediately. We also recommend enabling 2SA as another layer of protection for your Xero account, you can find out more about 2SA here.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email, similar to those we reported in February this year.

This time, the sending address of the email is invoice@xero.com with a subject of ‘Your xero invoice available now’.

Please be aware that invoice@xero.com is not a sending address used by Xero, and this email was not sent by us.

Here is an example of the email:

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The online bill link and PDF attachment in this phishing email will prompt you to download a malicious file, possibly ransomware. You can check the destination URL on a link by hovering your mouse over the link (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had another variant of the fake invoice reminder phishing emails reported today. They’re being sent from the following email addresses:messaging-service@xerogroup.orgmessaging-service@xeromobile.netmessaging-service@xerocentral.commessaging-service@xero-fx.comPlease be aware the email addresses listed above are not sending addresses nor domains used by Xero, and these emails were not sent by us.Here is an example of one of the emails:

We’ve seen many different company names used in the examples we’ve received. The criminals sending these emails are using the names of legitimate businesses to try and lure you into clicking on the links. The businesses named are being impersonated and have no involvement in this phishing campaign. We’ve also seen different amounts in the fake invoices so the email may not look exactly like the one above. But if it comes from one of the email addresses we’ve listed it is phishing.

If you’ve received one of these emails you should report it as phishing and delete it. DO NOT click on any links or attachments. The ‘View invoice’ button in this phishing email will prompt you to download a malicious file, possibly ransomware. You can check the destination URL before you click on a link by hovering your mouse over the link (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.You can find more information about how to protect yourself from email phishing attacks here.

We’ve had another variant of the fake invoice reminder phishing email reported today. The sending address is one of the two email addresses listed below:invoicereminders@xerodirect.cominvoicereminders@xerointernational.comPlease be aware the email addresses listed above are not sending addresses nor domains used by Xero, and these emails were not sent by us.Here is an example of one of the emails:

Like the previous variants, we’ve seen different company names and invoice amounts used in the examples we’ve received, so the email may not look exactly like the one above. But if it comes from one of the two email addresses we’ve listed, it is phishing.

If you’ve received one of these emails you should report it as phishing and delete it. DO NOT click on any links or attachments. The ‘View invoice’ button in this phishing email will prompt you to download a malicious file, possibly ransomware. You can check the destination URL before you click on a link by hovering your mouse over the link (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.You can find more information about how to protect yourself from email phishing attacks here.

Please be aware the email addresses listed above are not sending addresses nor domains used by Xero, and these emails were not sent by us.

Here is an example of the email:

We’ve seen different company names and invoice amounts used in the examples we’ve received, so the email may not look exactly like the one above. But if it comes from one of the email addresses we’ve listed it is phishing.

If you’ve received one of these emails you should report it as phishing and delete it. DO NOT click on any links or attachments. The ‘View invoice’ button in this phishing email will prompt you to download a malicious file, possibly ransomware. You can check the destination URL before you click on a link by hovering your mouse over the link (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had another variant of the fake invoice reminder phishing email reported today. The sending address is one of the following email addresses listed below:invoicereminders@xero-e.cominvoicereminders@xerosupply.cominvoicereminders@xeropages.cominvoicereminders@xero-web.net

Please be aware the email addresses listed above are not sending addresses nor domains used by Xero, and these emails were not sent by us.

Here is an example of the email:

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The online bill link and PDF attachment in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had another variant of the Xero Billing Notifications phishing email reported today, similar to the one posted last month. This time the sending address is either subscription.notifications@xeroform.org, subscription.notifications@xerosx.com, subscription.notifications@xero-accounting.com or subscription.notifications@xeromi.org.

Please be aware subscription.notifications@xeroform.org, subscription.notifications@xerosx.com, subscription.notifications@xero-accounting.com and subscription.notifications@xeromi.org are not sending addresses nor domains used by Xero, and these emails were not sent by us.

Here is an example of one of the emails:

The invoice contains a malicious attachment that will attempt to install malware, possibly ransomware or a password stealer. If one of these emails makes it as far as your inbox you should report it as phishing and delete it. Do not click on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email, similar to those we reported about last year. The sending address of the email is sales@xero.conz with a subject of ‘Your xero invoice available now’. The invoice amount in the email also varies.

Please be aware that sales@xero.conz is not a sending address nor a domain used by Xero, and this email was not sent by us.

Here is an example of the email:

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The online bill link and PDF attachment in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

TLS, or “Transport Layer Security”, is an encryption protocol that provides privacy and data integrity between your web browser and the Xero application, allowing data to be securely exchanged over the Internet.

Xero will cease support for browsers connecting using TLS 1.0 from 31 March 2018, as this version of TLS has known vulnerabilities and is no longer deemed secure. To increase the security of your online accounts, update your web browser to a version that uses TLS 1.1 as a minimum, though we’d recommend upgrading to TLS 1.2.

You can find more information on our blog, including which browser versions support TLS 1.1 or higher, and how to test whether you’re currently using a supported version of TLS.

We’ve had another variant of the Xero Billing Notifications phishing email reported today, like the ones we’ve posted about below in recent months. This time the sending address is subscription.notifications@xeroink.com.

Please be aware that subscription.notifications@xeroink.com is not a sending address nor a domain used by Xero, and this email was not sent by us.

Here is an example of the email:

The invoice contains a malicious attachment that will attempt to install malware, possibly ransomware or a password stealer. If one of these emails makes it as far as your inbox you should report it as phishing and delete it. Do not click on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

There’s been a lot of media attention over the past few days about a new class of hardware-based security vulnerability that affects many modern computer processors. There are three known variants of the issue which now go by the names Spectre (1 & 2) and Meltdown (3):

The security of our customers’ data is always our top priority and we’re taking active steps to ensure Xero is not impacted by these vulnerabilities. Our cloud service providers have been working for several months to patch systems to prevent exploitation. Xero has seen nothing to indicate that these vulnerabilities have been used to attack our systems or customers’ accounts.

We’ve had another variant of the Xero Billing Notifications phishing email reported today, like the ones we’ve posted about below in recent months. This time the sending address is subscription.notifications@xeroservice.com.

Please be aware that subscription.notifications@xeroservice.com is not a sending address nor a domain used by Xero, and this email was not sent by us.

Here is an example of the email:

The invoice contains a malicious word document that will attempt to install malware, possibly ransomware or a password stealer. If one of these emails makes it as far as your inbox you should report it as phishing and delete it. Do not click on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email we reported in 2017, with the sending address of either invo@xreoin.co.nz orinfo@xreo.co.nz and the subject of ‘Your xero invoice available now’.

Please be aware that invo@xreoin.co.nz and info@xreo.co.nz are not a sending address nor domains used by Xero, and these emails were not sent by us.

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The online bill link and PDF attachment in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email, similar to those we reported about in June, July, August and November. The sending address of the email is invoicereminders@post.xerostatic.com with a subject of ‘Bill INV-0906 from Enquip Pty Ltd is due soon’. The invoice amount in the email also varies.

Please be aware that invoicereminders@post.xerostatic.com is not a sending address nor a domain used by Xero, and this email was not sent by us. Nor was it sent by Enquip Pty Ltd. The criminal sending the email has exploited the name of this legitimate business to try to make their email more convincing.

Here is an example of the email:

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The online bill link and PDF attachment in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve been advised of a website for a company offering Xero technical support and providing a phone number for Xero’s Australian customers to call. This company and the phone number given is not in any way associated with Xero, and the disclaimer on the web page says this.

We’ve had reports from a customer that called this number, allowed the support technician to connect to their computer, and was then asked to pay hundreds of dollars to fix a technical issue. Fortunately, our customer terminated the call at that stage. You should be suspicious if anyone attempts to charge you for Xero support, as Xero does not charge for support.

Here’s an image of the web page at URL

We recommend that Xero users do not go to this web site and do not call the phone number provided. If you have called the number and granted access to your computer to their technicians, we recommend you scan for malware, change all of your passwords and enable two or multi-factor authentication on all accounts where strong authentication is available, including enabling two-step authentication (2SA) for your Xero account. If you have provided your credit card details to these people, please advise your bank and take action to prevent fraudulent transactions.

We’ve had reports from several Xero accounting partners who have received emails offering a list of Xero software users for sale. This is an example of the emails being received:

The examples we’ve seen have a few different names in the signature and matching sending email addresses from the ‘@outlook.com’ domain. Other names we’ve seen so far include Madison Emily (madison.emily21@outlook.com) and Shirley Manson (shirley.mansonb2b@outlook.com) but it’s likely there are more.

This is yet another instance of a common internet scam that offers customer data for sale for “targeted marketing” purposes. The fraudsters will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet. Links in these emails may also take you to malicious web sites.

These fraudsters do not have access to any Xero customer lists. We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory. We recommend you delete these emails without opening them, and do not reply. If you use an email service that offers a spam reporting feature (such as Gmail), we recommend you report any emails like this as spam.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email we reported in June, July and August, with the sending address of bill@xero.com and a subject of ‘Your xero invoice available now’.

The email claims to originate from bill@xero.com but is spoofing this sending address. An example of this new phishing email is shown below:

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The online bill link and PDF attachment in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had another variant of the Xero Billing Notifications phishing email reported today, like the ones we’ve posted about below in recent months. This time the sending address is subscription.notifications@post.xerosys.com.

Please be aware that subscription.notifications@post.xerosys.com is not a sending address nor a domain used by Xero, and this email was not sent by us.

Here is an example of the email:

The invoice number shown in the subject line and link, as well as the dates in the body of the email, may differ from that shown above. But the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware or a password stealer.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had another variant of the Xero Billing Notifications phishing email reported today, like the ones we’ve posted about below over the last few months. This time the sending address is subscription.notifications@post.xero.biz.

Please be aware that subscription.notifications@post.xero.biz is not a sending address nor a domain used by Xero, and this email was not sent by us.

Here is an example of the email:

The invoice number shown in the subject line and link, as well as the dates in the body of the email, may differ from that shown above. But the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware or a password stealer.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had another variant of the Xero Billing Notifications phishing email reported today, like the ones we’ve posted about below over the last few months. This time the sending address is subscription.notifications@xero.secpay.org.

Please be aware that subscription.notifications@xero.secpay.org is not a sending address nor a domain used by Xero, and this email was not sent by us.

Here is an example of the email:

The invoice number shown in the subject line and link, as well as the dates in the body of the email, may differ from that shown above. But the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware or a password stealer.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports that people have received a phishing email with the sending address of emailinvoice@xero.co.nz and an email subject that reads ‘Your xero invoice available now’.

Please be aware that emailinvoice@xero.co.nz is not a sending address used by Xero, and this email has not been sent by Xero. Nor was it sent by NJW Limited. The criminal sending the email has exploited the name of this legitimate business to try to make their email more convincing.

Here is an example of the email:

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The online bill link and PDF attachment in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve been advised of a Facebook page for a company claiming to offer Xero technical support and providing a phone number for Xero’s New Zealand customers to call. This company and the phone number given is not in any way associated with Xero. The same claim and phone number is also listed on another web site, www.macpatchers.co.nz. We’re told that if you call this number you’ll be asked to pay for a software support subscription.

The persons answering the calls are claiming to be “Xero gold providers” and “Xero certified partners”, and the only help desk for Xero. None of this is true. They may also provide you with another number to call for support – 0800 448 938.

Here’s a copy of the Facebook and macpatchers.co.nz web pages for these scammers, with the URLs for each shown:

Please do not go to these pages and do not phone the number provided. If you have called the number on these sites and made payment to them, please contact your bank and the Police to report this and cancel your payment. If you have provided your credit card details to these people, please advise your bank and take action to prevent further fraudulent transactions.

We’ve had another variant of the Xero Billing Notifications phishing email reported today, like the ones we’ve posted about below over the last few months. This time the sending address is subscription.notifications@post.xero.ic-canada.com.

Please be aware that subscription.notifications@post.xero.ic-canada.com is not a sending address nor a domain used by Xero, and this email was not sent by us.

Here’s an example of this new phishing email:

The invoice number shown in the subject line and link, and the dates in the body of the email, may differ from that shown above. But the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware or a password stealer.

You can find more information about how to protect yourself from email phishing attacks here.

Today we’ve seen another variant of the Xero Billing Notifications phishing email that we posted about several times in August and September. This time the sending address is subscription.notifications@post.xero.m-au.com.

Please be aware that subscription.notifications@post.xero.m-au.com is not a sending address nor a domain used by Xero, and this email was not sent by us.

Here’s an example of this new phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The link in this phishing email will take you to a page that will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports that people have received a phishing email with the sending address of invoicereminders@post.xero.inc-r.com and an email subject that reads ‘Bill SI-00004087 from I & M Industries Pty Ltd is due soon’.

Please be aware that invoicereminders@post.xero.inc-r.com is not a sending address used by Xero, and this email has not been sent by us. Nor has it been sent by I & M Industries Pty Ltd. The scammer sending the email has exploited the name of this legitimate business to try to make their phishing email more convincing.

Here is an example of the phishing email:

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The PDF attachment in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

Today we have seen another variant of the Xero Billing Notifications phishing email that we posted about several times in August, as well as on September 7th, 13th and 18th. This time the sending address is subscription.notifications@post.xerohost.info.

Please be aware that subscription.notifications@post.xerohost.info is not a sending address nor a domain used by Xero, and this email was not sent by us.

Here’s an example of this new phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

Today we have seen another variant of the Xero Billing Notifications phishing email that we posted about several times in August, as well as on September 7th and 13th. This time the sending address is subscription.notifications@post.xerobank.org.

Please be aware that subscription.notifications@post.xerobank.org is not a sending address nor a domain used by Xero, and this email was not sent by us.

Here’s an example of this new phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports that people have received a phishing email with the sending address of info@billingxero.co.nz and an email subject that reads ‘Your spark invoice available now’.

Please be aware that info@billingxero.co.nz is not a sending address used by Xero, and this email has not been sent by Xero, nor by Spark New Zealand.

Here is an example of the email:

If you have received this email, you should report it as phishing and delete it. Do not click on any links or attachments. The online bill link and PDF attachment in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

Today we’ve seen another variant of the Xero Billing Notifications phishing email that we posted about on August 16th, 24th, 30th and September 7th. This time it’s from the sender address of subscription.notifications@ffx2.net. As noted above, this is not a sending address or domain used by Xero, and this email was not sent by us. Here’s an example of this new phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

Today we’ve seen another variant of the Xero Billing Notifications phishing email that we posted about on August 16th, 24th and 30th. This time it’s from the sender address of subscription.notifications@ukays.com. As noted above, this is not a sending address or domain used by Xero, and this email was not sent by us. Here’s an example of this new phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of a phishing email spoofing our sending address of messaging-service@post.xero.com with a subject of: Invoice INV-000*** from Property Lagoon Limited for Gleneagles Equestrian Centre, where *** is a 2 or 3 digit number. The invoice amount in the email also varies.In some instances a single email address has received many copies of this email.

While this email appears to have a legitimate Xero sending address it is malicious and it was not sent by Xero. Nor has it been sent by Property Lagoon Ltd or Gleneagles Equestrian Centre. The scammer sending the email has exploited the names of these legitimate businesses to try to make their email more convincing.

An example of the phishing email is shown below:

The ‘View your bill online’ bill link in these phishing emails will take you to a website where you’ll be asked to download a zip file. This file is a Visual Basic malware dropper that will download ransomware to your device.

Always check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

This campaign is using multiple servers to host their malware file so the first part of the link URL isn’t consistent. In the samples we’ve seen the URL for the bill link consistently ends with the filename of INV-00022.7z

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

Today we’ve seen another variant of the Xero Billing Notifications phishing email that we posted about on August 16th and 24th. This time it’s from the sender address of subscription.notifications@xerobank.net. As noted above, this is not a sending address or domain used by Xero, and this email was not sent by us. Here’s an example of this new phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of a yet another version of the fake invoice reminder phishing email we posted about yesterday, previously reported in June and July. This time the email is spoofing the sending address of info@xero.net.nz. As noted above, this is not a sending address or domain used by Xero.

An example of this new phishing email is shown below:

There’s a small difference to the previous campaigns in that this latest variant has ‘Your invoice available now.’ in the subject line, and the bill amount is now $371.75, due on 28 Aug 2017. This could change so don’t assume an email is legitimate if it doesn’t follow this pattern. Check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

In this variant the malicious URL for the bill link and PDF attachment start with bit.ly or

The online bill link and PDF attachment in these phishing emails will take you to a website where you’ll be asked to download a zip file. The zip file contains a javascript malware dropper that we assume will download ransomware to your device.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email we reported in June and July. The email is spoofing the sending address so it appears to come from no-reply@xero.net. This is not a sending address or domain used by Xero. This email was not sent by us.

An example of this new phishing email is shown below:

The online bill link and PDF attachment in these phishing emails will take you to a website where you’ll be asked to download a zip file. The file contains a javascript malware dropper that we assume will download ransomware to your device.

Like the previous campaign, all of the examples we’ve seen so far have ‘Your xero invoice available now.’ in the subject line, but the bill amount is now $325.79, due on 28 Aug 2017. This could change so don’t assume an email is legitimate if it doesn’t follow this pattern. Check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

In this example the malicious URL for both the bill link and PDF attachment start with the IP address 166.78.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of a new variant of the Xero Billing Notification phishing email that we posted about on August 16th. This time it’s from the sender address of subscription.notifications@xeromc.net. This is not a sending address or domain used by Xero, and this email was not sent by us. Here’s an example of this new phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve seen.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports from people who have received a phishing email with the sender address of subscription.notifications@xeronet.org. This is not a sending address or domain used by Xero, and this email was not sent by us. Here’s an example of that phishing email:

The invoice number shown in the subject line and link may differ from that shown above, but the other details appear consistent in the samples we’ve had reported to us.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it. Do not click on any links or attachments. The “View your bill:” link in this phishing email will prompt you to download a malicious file, possibly ransomware.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email we reported in June and July. The email claims to originate from bill@xero.co.nz but is spoofing this sending address. An example of this new phishing email is shown below:

The online bill link and PDF attachment in these phishing emails will take you to a website where you’ll be asked to download a zip file. The zip file contains a javascript malware dropper that we assume will download ransomware to your device.

Like the previous campaign, all of the examples we’ve seen so far have ‘Your xero invoice available now.’ in the subject line, but the bill amount is now $498.75, due on 07 Aug 2017. This could change so don’t assume an email is legitimate if it doesn’t follow this pattern. Check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

In this example the malicious URL for both the bill link and PDF attachment start with

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of people receiving a new version of the fake invoice reminder phishing email we reported on June 20th. The email claims to originate from bill@xero.com but is spoofing this address. An example of this new phishing email is shown below:

The online bill link and PDF attachment in these phishing emails will take you to a website where you’ll be asked to download a zip file. The zip file contains a javascript malware dropper that we assume will download ransomware to your device.

Like the previous campaign, all of the examples we’ve seen so far have ‘Your xero invoice available now.‘ in the subject line, but the bill amount has increased to $377.15, due on 27 Jul 2017. This could change so don’t assume an email is legitimate if it doesn’t follow this pattern. Check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

In this example the malicious URL for both the bill link and PDF attachment start with

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports of Xero accounting partners receiving emails offering a list of Xero users’ email addresses for sale. This is an example of the emails being received:

This is yet another instance of a common internet scam that offers customer data for sale for “targeted marketing” purposes. The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet. Links in these emails may also take you to malicious web sites.

These scammers do not have access to any Xero customer lists. We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory. We recommend you delete these emails without opening them, and do not reply. If you use an email service that offers a spam reporting feature (such as Gmail), we recommend you report any emails like this as spam.

You may have seen today’s news about another large ransomware campaign called NotPetya (originally reported as Petya) that’s impacted numerous organisations, initially across Europe. Unlike the recent WannaCry ransomware, NotPetya encrypts the filesystem’s master file table (MFT) rather than just the files, effectively locking the disk as the operating system isn’t able to locate files.

Computers infected by NotPetya will display a ransom note demanding that $300 in bitcoins is paid for the decryption key to recover files. However, the email address used to pay the ransom has been shut down so there’s currently no way to pay the ransom to obtain the decryption key.

Details are still coming to light, but there are indications that the initial infection is via .doc and .xls files that exploit a vulnerability in Microsoft Office (CVE-2017-0199). Once a single computer in a network is infected with NotPetya, the program looks for other computers on the network vulnerable to a Microsoft Windows SMB Server vulnerability (the same vulnerability exploited by the WannaCry ransomware) and infects them as well. NotPetya may also exploit Windows Management Instrumentation Command-line (WMIC) execution with local privileges to move laterally to infect other computers.

There are reports that a ‘kill file’ can be created that will prevent the NotPetya ransomware from executing. The kill file is reported to be called perfc. To implement this, create a file in c:\windows called “perfc”.

Microsoft released a patch for the SMB Server vulnerability in March (MS17-010 – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx). The patch for CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API) has also been available since March. Make sure you have patched to remove these vulnerabilities from your systems.

It’s a timely reminder to not click on links or attachments is suspicious emails, from sources you don’t trust or with strange/unexpected subject lines. Make sure your staff understand the need to be vigilant, including with their personal email. You can find more information about how to protect yourself from email phishing attacks here.

Keep all of your software up to date with the latest security patches, including your anti-malware (anti-virus, anti-spyware) software. You should also make sure you have recent backups of your system and data stored securely, off-network.

We’ve posted this advisory to support our online community. Xero has not been impacted by NotPetya ransomware.

We’ve had reports from Xero customers and non-customers alike who have received a phishing email with the sender address of subscription.notifications@open-e-mail.com. This is not a sending address used by Xero, nor has this email been sent by us.

Here is an example of one of these emails:

The link in this phishing email will prompt you to download a malicious file. You should report the email to your mail provider or mark it as spam and delete it. Do not click on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

We’ve had reports from Xero customers and non customers alike who have received the phishing email below. The email claims to originate from Xero but is likely sent from a compromised email address, not Xero’s real mail sending address of messaging-service@post.xero.com.

The online bill link and PDF attachment in these phishing emails will take you to a website where you’ll be asked to download a zip file. The zip file contains a javascript malware dropper that we assume will download ransomware to your device.

All of the examples we’ve seen so far have ‘Your xero invoice available now.‘ in the subject line and a bill amount of $373.75. But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern. Check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

In this example the malicious URL for both the bill link and PDF attachment start with

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the link or attachment.

You can find more information about how to protect yourself from email phishing attacks here.

Over the weekend we detected a “credentials stuffing” attack against Xero. This is when hackers try to login using usernames and passwords that they’ve stolen from another website. The hackers “crack” the passwords in the stolen credentials database and then try these against other websites to see if they’re valid there, in the hope of gaining unauthorised access to accounts in other services.

Just to be clear, there has been no breach or security incident at Xero. This attack is the result of another site or sites being breached.

The hackers can only successfully compromise a Xero account if the owner of that account has used the same password for Xero and the site that the credentials were stolen from. This highlights the importance of using a unique password for Xero, and each website that you login to.

We also strongly recommend that you have 2SA enabled on your Xero account as this adds another layer of protection, significantly reducing the risk of unauthorised access even if your password is compromised. The Xero help centre has step-by-step instructions for setting up 2SA on your account. If you’d like to know more about two-step authentication in Xero, check out our blog.

Xero have been advised of emails being received that spoof (impersonate) Xero’s ‘support@xero.com’ email address. While ‘support@xero.com’ is a legitimate Xero email address, please be assured that these emails have not been sent by Xero. This email campaign is using a forged sender address.

Your email service provider should block these emails so that you don’t see them. But if your email provider has not blocked them you may receive a spam email that looks like this:

The link in this email takes you to a site where you’ll be asked a series of questions before you can “claim” your gift card prize. We recommend deleting the email if you have received it, and please do not click on any of the links.

You can find more information about how to protect yourself from phishing and malicious emails here.

We’ve had reports of Xero accounting partners receiving emails offering Xero users’ contact details for sale. This is an example of the emails being received:

This is another instance of a common internet scam that offers customer data for sale for “targeted marketing” purposes. The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet. Links in these emails may also take you to malicious web sites.

These scammers do not have access to any Xero customer data. We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory. We recommend you delete these emails without opening them or viewing any attachments. If you use an email service that offers a spam reporting feature (such as Gmail), we also recommend that you report any emails like this as spam.

We’ve had reports of a Xero branded phishing email currently in circulation, this is an example of one of these phishing emails:

The link in this phishing email directs you to a fraudulent replica of the Xero login page, where the offenders are hoping to trick Xero customers into disclosing their login credentials.

This is an example of the fraudulent website (note the fraudulent web address highlighted in red):

Xero’s legitimate web address is https://www.xero.com and our login page is https://login.xero.com. We recommend always checking that you are logging into the genuine Xero site before entering your login credentials.

If you were to enter login credentials on the phishing page above, you’d be taken to this page and asked to enter your phone number:

If you have entered your Xero login credentials to the phishing page, please change your password immediately and advise our support team at support@xero.com.

We also strongly recommend having Two-Step Authentication (2SA) enabled for your Xero account. 2SA provides an additional layer of security for your Xero account that significantly reduces the risk of it being compromised if your password is stolen by phishing or malware. To find out more about two-step authentication, please review our Help Center.

You can find more information about how to protect yourself from phishing and malicious emails here.

We’ve had reports of fake Xero invoice emails being received with a sender address of message-service@xeroaccounting.org. This is an example of one of those emails:

The online bill link in these phishing emails will take you to a Sharepoint site and ask you to download a zip file. The zip file contains a javascript malware dropper that we assume will download ransomware to your device.

Xero’s real invoice sending address is messaging-service@post.xero.com. If you receive an email from message-service@xeroaccounting.org, you should report it as phishing and delete it without clicking on any links or attachments.You can find more information about how to protect yourself from email phishing attacks here.

You’ve probably already seen the news about the massive international ransomware campaign hitting the computer systems of private companies and public organisations around the world. This incident is being reported as the largest ransomware campaign to date. The ransomware in question has been identified as a variant of WannaCry (also known as ‘Wana Decrypt0r,’ ‘WannaCryptor’ or ‘WCRY’), because the encrypted files extension is .wcry. Like other ransomware, WannaCry blocks access to your data by encrypting it and demands money to decrypt it.

It’s understood that the initial attack is via a phishing email with either a malicious attachment or link. The attack exploits computers running unpatched versions of Windows (XP through 2008 R2) through a vulnerability in Microsoft Windows SMB Server. Once a single computer in a network is infected with WannaCry, the program looks for other vulnerable computers on the network and infects them as well.

It’s a timely reminder to be vigilant with email, and not to click on suspicious links or attachments in emails from people you don’t know or with strange/unexpected subject lines. You should also make sure you have recent backups of your system and data stored securely, off-network.

We’ve posted this advisory to support our online community. Xero has not been impacted by WannaCry ransomware.

April 6th, 2017 – Spark Invoice Reminder phishing email

We’ve had reports from people who have received the phishing email below. These emails look like an invoice reminder generated from Xero that has been sent by Spark, spoofing the sending address of sales@spark.com. These emails are being sent out indiscriminately and are not from Spark New Zealand.

Clicking on the invoice link or pdf attachment in these emails will take you to a malicious file, probably containing ransom-ware.

Always check the sending email address, and check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window. Hovering your mouse over the pdf attachment in this email will display the same URL as the invoice link.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

Mar 28th, 2017 – Xero Remittance Advice phishing email

We’ve had reports from people who have received the phishing email below. These emails have a sending address of payments@xero-payments.co.uk. This is not a legitimate Xero domain and we are working to have the xero-payments.co.uk domain taken down.

Clicking on the pay slip image will take you to a OneDrive page where you’ll be asked to download a ZIP folder. The ZIP folder contains a malicious JAR file.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it. DO NOT click on the image.

You can find more information about how to protect yourself from email phishing attacks here.

Mar 17th, 2017 – Xero Billing phishing email

We’ve had reports of a phishing email that purports to come from the billing team at Xero. You can see an example of this below. The emails we’ve seen have all been sent from a btconnect.com address. The senders address always starts with ‘xero’, but the remainder of the address has not been consistent.

The supposed attached invoice is actually an HTML document. Clicking on the attachment takes you to a fake login page designed to steal your email account name and password.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on the attachment. If you have clicked the attachment and input your user name and password into the fake login page, please change your password immediately. We also recommend that you use two-factor or multi-factor authentication (2FA/MFA) on your email account if this is available.

You can find more information about how to protect yourself from email phishing attacks here.

Mar 14th, 2017 – Xero Invoice phishing email

We’ve had reports from Xero customers and non customers alike who have received the phishing email below. These emails are spoofing the sending address of invoice@xero.co.nz and being sent out indiscriminately. Xero’s real invoice sending address is messaging-service@post.xero.com.

Clicking on the invoice link or pdf attachment in these emails will take you to a malicious file, probably containing ransom-ware.

Check the sending email address, and check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window. Hovering your mouse over the pdf attachment in this email will display the same URL as the invoice link.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

Dec 6th, 2016 – Xero customer lists scam

We’re seeing some more instances of emails offering Xero customer lists for sale. There’s an example of these emails below, and we’re also seeing them with the subject “Xero reseller contacts”. The sending email address and signature also vary.

This is another example of a common internet scam that offers customer data for sale for “targeted marketing” purposes. The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet. Links in these emails may also take you to malicious web sites.

These scammers do not have access to any Xero customer data. We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory. But in any case we recommend you delete these emails without opening them or viewing any attachments. If you use an email service that offers a spam reporting feature (such as Gmail), we also recommend that you report any emails like this as spam.

Dec 2nd, 2016 – Xero Invoice phishing email

We’ve had reports from customers who have received the phishing email below, or one similar. These emails are sent from messaging-service@post-xero.org, rather than Xero’s legitimate messaging-service@post.xero.com email address. We’re working to get the @post-xero.org domain taken down.

Clicking on the invoice link in these emails will take you to a malicious web site, possibly containing ransom-ware.

All of the examples we’ve seen so far have ‘Invoice INV-01823 (Amended)‘ in the subject line. But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern. Check the sending email domain, and check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

Nov 2nd, 2016 – Fake Xero Customer Service Phone Number

We’ve been advised of web pages claiming to offer Xero support and providing a phone number for Xero customers to call. The number given is not in any way associated with Xero. The same phone number is also listed on pages on these sites supposedly offering support for other accounting software. We’re told that if you call this number you’ll be asked for your credit card details.

The urls for these web pages are:

This is what the web pages look like:

Please do not go to these pages and do not phone the number provided. If you have called the number on these sites and provided your credit card details, please contact your bank and take action to prevent fraudulent transactions.

Sept 21st, 2016 – Update on Xero Invoice phishing emails

We’re now seeing phishing emails being sent from the @post-xero.com domain.The full From address is messaging-service@post-xero.com, rather than Xero’s legitimate messaging-service@post.xero.com address. We’ve started the process to get the @post-xero.com domain taken down.

Here’s an example of one of these latest phishing emails:

All of the examples we’ve seen so far from this latest phishing campaign have ‘Invoice INV00249’ in the subject line. But this could change so don’t assume an email is legitimate if it doesn’t have this invoice number. They’re also using a variety of company names.

Check any Xero invoice email you receive to ensure it came from our messaging-service@post.xero.com email address. Also check the destination URL for the online invoice before you click on the link. You can do this by hovering your mouse over the link in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

Sept 12th, 2016 – Fake Xero Invoice email

We’ve had several reports from people who have received the phishing email below, or one similar. These emails are sent from messaging-service@postxero.com, rather than Xero’s legitimate messaging-service@post.xero.com email address. We’re working to get the @postxero.com domain taken down.

Clicking on the invoice link in these emails will download a ransom-ware dropper on to your computer.

All of the examples we’ve seen so far have ‘Invoice INV-0860’ in the subject line. But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern. Check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

Sept 5th, 2016 – Xero customer lists “for sale”

We’ve been advised of another email going around that’s offering a Xero customer list for sale.

Here’s an example of the email:

This is another example of a common internet scam that offers customer data for sale for “targeted marketing” purposes. The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random names and email addresses that have been harvested off the internet.

These scammers do not have access to any Xero customer data. We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory. But in any case we recommend you delete these emails without opening them or viewing any attachments. If you use an email service that offers a spam reporting feature (such as Gmail), we also recommend that you report any emails like this as spam.

Aug 30th, 2016 – Fake Invoice Reminder emails

We’ve had several reports from people who have received the phishing email below. This email is not sent from Xero servers and spoofs the invoicereminders@post.xero.com email address.

All of the examples we’ve seen so far have been for the same dollar amount of $137.50, and the subject lines all contain an organisation name ending in “AG”. But this could change so don’t assume an email is legitimate if it doesn’t follow this pattern. Check the destination URL before you click on a link. You can do this by hovering your mouse over any links in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.

The ‘Download PDF’ link in this email takes you to a compromised Microsoft Sharepoint site. The destination file appears to have been removed so we are unable to confirm what was being hosted, but we assume it was malicious.

If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

Jun 22nd, 2016 – More fake Xero emails

We’ve had a few reports from customers who have received the spam email below. This email is not sent from Xero servers and spoofs the no-reply@xero.com email address.

All of the links contained in the email sample we received directed to the ‘evil.com’ web site, which currently contains no malicious content. But future variants of the email may contain more malicious content or links.

If one of these emails makes it as far as your inbox, you should delete it without clicking on any links or attachments.

You can find more information about how to protect yourself from email phishing attacks here.

May 20th, 2016 – Invoice Fraud using hacked email accounts

A few of our customers have reported having their email account credentials compromised and their email accounts being used for invoice fraud. The attackers have found recently sent Xero invoices in their mail boxes and have copied these, updating the payment bank account numbers. Then they send another email to those same customers with the modified invoice attached, advising them that the supplier has changed their bank account number for some reason and asking the customer to make payment to the new, fraudulent account number.

The recent reports we’ve received have all been from New Zealand customers, but with different email providers in each case. There’s been no access to their Xero account, just their email. This could happen anywhere and using any invoice system so everyone needs to be vigilant. If your email provider offers two-factor or multi-factor authentication we recommend you use it to reduce the risk of account compromise, just as we recommend using Xero’s 2SA to protect your Xero account.

If you ever receive an updated invoice from a supplier advising of a new payment bank account number, we strongly advise that you confirm with your supplier that the payment bank account details are really theirs before making payment. Do not use email to do this, please make contact by phone or in person.

Mar 3rd, 2016 – The DROWN attack

“DROWN” is the acronym given to a security vulnerability affecting secure websites. You can find out more Information about DROWN at https://drownattack.com/

We have checked all of our services to make sure that we are not affected by this vulnerability. We did discover 3 mis-configured servers in a test environment, but these have been quickly fixed. At no time was any Xero customer or their information at risk.

Feb 4th, 2016 – Emails spoofing Xero’s message service address

Our monitoring shows a large number of emails being sent that are trying to spoof Xero’s message-service@post.xero.com email address. message-service@post.xero.com is a legitimate Xero email address, but please be assured that these emails are not being sent by Xero. This email ‘spoofing’ campaign is using a forged sender address.

Your email service provider should block these emails so that you don’t see them. But if your email provider doesn’t block them you may get a message in your Spam bin, or a notification of an email received with a virus attachment.

The email will look something like this:
The attachment contains malware (malicious software) that appears to be a generic Trojan, not specifically targeting Xero or our customers.

If you are receiving spoofed emails, we encourage you to ask your email service provider to configure SPF, DKIM and DMARC checking on your mail server so that you stop receiving them.

Jan 13th, 2016 – Scam operating from www.xeronline.com

A fraudulent website hosted at www.xeronline.com is pretending to be Xero. We recommend that you do not enter any personal details into this site, and report any emails received to our support team.

If you have entered any passwords into this site, we recommend changing passwords on any other systems that you use the same password on.

Dec 2nd, 2015 – Scam operating from xerocorp.co.uk domain

Some people have received communications purporting to be from members of Xero’s leadership team using the domain names xerocorp.co.uk and xerocorp.com.

These domain names are not owned by Xero, and the communications received are not on our behalf.

Please do not pay any money to these people or reply to their messages. Instead “Report as Spam” within your mail client and ignore the communications.

Nov 24th, 2015 – Xero user lists “for sale”

Some Xero accounting, bookkeeper or add-on partners have received unsolicited messages offering a “Xero User List” for sale.

Two examples of these messages are below:

These emails are examples of a common internet scam where lists of email addresses are offered for sale for “targeted marketing” purposes. The scammers will either take the buyer’s money and then not deliver the promised email list, or deliver a list of random email addresses that have been harvested off the internet.

Xero has not been hacked, and these scammers do not have access to any Xero user lists. We do not sell or give information about our users to any third party.

The authors of the email may have obtained your email address from your website which they have crawled to through our advisor or add-on directory, but in any case we recommend you delete these emails without opening them or viewing any attachments. If you use an email service that offers a spam reporting feature (such as Gmail for example), we also recommend that you report any emails like this as spam.

Nov 4th, 2015 – Fake Xero emails

In the most recent Xero-branded scam on the internet, we have had reports of upwards of ten million emails spoofing the post.xero.com domain name and sending a virus-infected xlsx spreadsheet attachment.

The messages are not sent from our servers, but are designed to look like a regular invoice sent from a Xero customer to someone who owes them money:

These fake emails are being sent from thousands of home computers that are infected with malware, so it is impractical to stop the emails being sent.

If one of these emails makes it as far as your inbox, you should delete it without opening the attachment.

Other actions you might want to take:

If the email has not been deleted or quarantined by your anti-malware, check that your anti-malware is up to date, and that it is set to automatically scan all incoming emails.

If you use Microsoft Office, configure it to block the running of Office macros within documents and spreadsheets. (If you need to use macros, make sure at least that Office prompts you every time before running them, and only run macros that you know and trust.)

Xero uses email security controls (SPF, DKIM and DMARC) to identify legitimate emails from us. If you have received a malicious email that appears to be from a xero.com address it means that your email provider hasn’t done the proper checks on incoming mail. You may want to contact them to ask if they are planning to implement SPF, DKIM and DMARC checking.

Finally, if you suspect that you may have opened a malicious file, you will need to carry out a thorough clean up. This should include a complete scan of your computer for malware and removal of any malicious code, then changing any passwords that you might have typed in during the time your computer was infected.

You can find more information about how to protect yourself from email phishing attacks here.